Organizations may offer one or more cloud services to users over a network (e.g., the Internet). The cloud services may include computation, software, data access, storage services, etc. that physically reside elsewhere (e.g., another computer or the organizations data center) which users can access from their own computer or device over a network. Since sensitive information may be sent to or received from these cloud services, corporate policy may limit access to cloud services depending on the user, device, network, etc. Conventionally, information security and protection is integrated deep within the cloud service applications. Configuration and maintenance of the security policies may be burdensome and possibly inconsistent with cloud service access policies (e.g., governance, risk management and compliance (GRC) policies) set for other cloud services. Thus, cloud service providers are not able to control and validate governance and compliance in a consistent and uniform fashion.